Ticket #465: 465-delete-attachment.patch

mediagoblin/db/models.py

@@ -30 +30 @@
 from sqlalchemy.ext.associationproxy import association_proxy
 from sqlalchemy.util import memoized_property
 
+from mediagoblin import mg_globals
 from mediagoblin.db.extratypes import (PathTupleWithSlashes, JSONEncoded,
                                        MutationDict)
 from mediagoblin.db.base import Base, DictReadAttrProxy
@@ -449 +450 @@
     def dict_view(self):
         """A dict like view on this object"""
         return DictReadAttrProxy(self)
+    
+    def delete(self, **kwargs):
+        """Delete MediaAttachmentFile"""
+
+        try:
+            mg_globals.public_store.delete_file(self.filepath)
+        except OSError, error:
+            _log.error('No such attachment file to delete: {0}'.format(str(error)))
+        _log.info('Deleted Attachment entry id "{0}"'.format(self.id))
+        
+        super(MediaAttachmentFile, self).delete(**kwargs)
+
 
 
 class Tag(Base):

mediagoblin/static/css/base.css

@@ -262 +262 @@
   font-family: 'Lato', sans-serif;
 }
 
+.button_small {
+  padding: 1px 3px;
+  font-size: 14px;
+}
+
+.nowrap {
+  white-space: nowrap;
+}
+
 .pagination {
 text-align: center;
 }
@@ -864 +873 @@
     padding: 5px 14px;
     margin-bottom: 0.5em;
   }
+  
+  .button_small {
+    padding: 1px 3px;
+    font-size: 14px;
+  }
     
 }
 /* desktop resolutions */

mediagoblin/templates/mediagoblin/user_pages/media.html

@@ -204 +204 @@
       <h3>{% trans %}Attachments{% endtrans %}</h3>
       <ul>
         {%- for attachment in media.attachment_files %}
-          <li>
+          <li class="nowrap">
             <a href="{{ request.app.public_store.file_url(attachment.filepath) }}">
               {{- attachment.name -}}
             </a>
+            {% if request.user and
+                (media.uploader == request.user.id or
+                request.user.has_privilege('admin')) %}
+            {% set delete_url = request.urlgen('mediagoblin.user_pages.media_confirm_delete_attachment',
+                                 user=media.get_uploader.username,
+                                 media_id=media.id,
+                                 attachment_id=attachment.id) %}
+            <a class="button_action button_warning button_small" href="{{ delete_url }}">{% trans %}Delete{% endtrans %}</a>
+            {%- endif %}
           </li>
         {%- endfor %}
       </ul>

new file mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete_attachment.html

@@ +1 @@
+{#
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#}
+{% extends "mediagoblin/base.html" %}
+
+{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
+
+{% block mediagoblin_content %}
+
+  <form action="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete_attachment',
+                                user=media.get_uploader.username,
+                                media_id=media.id,
+                                attachment_id=attachment.id) }}"
+        method="POST" enctype="multipart/form-data">
+    <div class="form_box">
+      <h2>
+          {% trans %}Really delete this attachment?{% endtrans %}
+      </h2>
+      <h3>
+          {{ attachment.name }}
+      </h3>      
+
+      <br />
+
+      <p class="delete_checkbox_box">
+        {{ form.confirm }}
+        {{ wtforms_util.render_label(form.confirm) }}
+      </p>
+
+      <div class="form_submit_buttons">
+        {# TODO: This isn't a button really... might do unexpected things :) #}
+        <a class="button_action" href="{{ media.url_for_self(request.urlgen) }}">{% trans %}Cancel{% endtrans %}</a>
+        <input type="submit" value="{% trans %}Delete permanently{% endtrans %}" class="button_form button_warning" />
+        {{ csrf_token }}
+      </div>
+    </div>
+  </form>
+{% endblock %}    

mediagoblin/user_pages/routing.py

@@ -31 +31 @@
           '/u/<string:user>/m/<int:media_id>/confirm-delete/',
           'mediagoblin.user_pages.views:media_confirm_delete')
 
+add_route('mediagoblin.user_pages.media_confirm_delete_attachment',
+          '/u/<string:user>/m/<int:media_id>/confirm-delete-attachment/<int:attachment_id>/',
+          'mediagoblin.user_pages.views:media_confirm_delete_attachment')
+
 # Submission handling of new comments. TODO: only allow for POST methods
 add_route('mediagoblin.user_pages.media_post_comment',
           '/u/<string:user>/m/<int:media_id>/comment/add/',

mediagoblin/user_pages/views.py

@@ -20 +20 @@
 
 from mediagoblin import messages, mg_globals
 from mediagoblin.db.models import (MediaEntry, MediaTag, Collection,
-                                   CollectionItem, User)
+                                   CollectionItem, User, MediaAttachmentFile)
 from mediagoblin.tools.response import render_to_response, render_404, \
     redirect, redirect_obj
 from mediagoblin.tools.text import cleaned_markdown_conversion
@@ -331 +331 @@
         'mediagoblin/user_pages/media_confirm_delete.html',
         {'media': media,
          'form': form})
+    
+@get_media_entry_by_id
+@require_active_login
+@user_may_delete_media
+def media_confirm_delete_attachment(request, media):
+
+    # media_id is verified to prevent attacks by URL with fake media/attachment pair  
+    attachment = MediaAttachmentFile.query.filter_by(
+                id=request.matchdict['attachment_id'],
+                media_entry=request.matchdict['media_id']).first()              
+    if not attachment:
+            return render_404(request)
+        
+    form = user_forms.ConfirmDeleteForm(request.form)
+
+    if request.method == 'POST' and form.validate():
+        if form.confirm.data is True:
+
+            attachment.delete();
+            messages.add_message(
+                request, messages.SUCCESS, _('You deleted the attachment.'))
+            return redirect_obj(request, media)
+        
+        else:
+            messages.add_message(
+                request, messages.ERROR,
+                _("The attachment was not deleted because you didn't check that you were sure."))
+            return redirect_obj(request, media)
+
+    if ((request.user.has_privilege(u'admin') and
+         request.user.id != media.uploader)):
+        messages.add_message(
+            request, messages.WARNING,
+            _("You are about to delete another user's attachment. "
+              "Proceed with caution."))
+
+    return render_to_response(
+        request,
+        'mediagoblin/user_pages/media_confirm_delete_attachment.html',
+        {'media': media,
+         'form': form,
+         'attachment': attachment})
+
 
 @user_not_banned
 @active_user_from_url